Enterprise electronic assets are typically protected via a variety of security mechanisms. One such mechanism is a user-supplied id-password combination that an enterprise's security system requires before access to a desired asset is given with the enterprise. Generally, the access permissions given to the user, in the above mentioned scenario depends in large part on the identified user and the identified resource.
Normally, the user has no control over the format of the password supplied to the security system. So, if the format for the user password requires it to be eight characters in length and include at least one non alphabetic character, the user cannot supply an alternative arrangement when the user initially sets the password or supplies a new password when a prior password expires on the user.
Administrators decide on password formats and password complexity based on a variety of competing interests. First, administrators want passwords to be sufficiently complex enough that the passwords are not easily compromised by automated programs or nefarious intruders. At the same time, the administrators do not want the formats to be so complex that the users have a difficult time remember them. In fact, passwords that are overly complex may actually create unexpected security breaches because the users may resort to writing their passwords down on sticky notes or memo pads where nefarious individuals can acquire them to gain access to the enterprise's assets.
One attribute, which may be associated with a password's complexity, is the length of time which the password remains valid before it expires. So, a password with a large degree of complexity may not expire at all; whereas a password with little to no complexity may expire in a few days or even hours.
Administrators perform balancing acts password complexity and password expiration lengths. The goal is to prevent unauthorized password detection and usage while maintaining usability from the perspective of the users.
Other considerations may also weigh heavily on the minds of administrators, such as how particular assets will be accessed and by which users and perhaps during what time frames. Such considerations often require the administrator to set up multiple and sometimes disparate security systems within the enterprise, since existing security access mechanisms do not permit such customization and security access granularity.
Thus, what is needed is a mechanism that allows for custom and variable security information to be used when accessing assets of an enterprise without sacrificing desired security levels.